Galaxy Credit card

INFORMATION ON PERSONAL DATA PROCESSING OF THE DATA OF NATURAL PERSONS BY DSK BANK AD

DSK Bank AD is a commercial company, registered in the Commercial Register and the Register of Non-Profit Legal Entities with the Registry Agency with UIC number 121830616 with headquarters and address of management: 1000 Sofia, 19 Moskovska Str., tel. *2375 / 0700 10 375; fax: (+359 2) 9076 499; e-mail: call_center@dskbank.bg; website www.dskbank.bg. 
As a Data Controller it operates in strict compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the Personal Data Protection Act. DSK Bank is part of OTP Group which provides financial services in Central and Eastern Europe. DSK Rodina, DSK Trans Security, DSK Leasing, OTP Leasing, DSK Asset Management, DSK Dom, OTP Factoring Bulgaria, DSK Tours and DSK Mobile are part of DSK Group in Bulgaria.


Contact details of the Data Protection Officer: e-mail: DPO@dskbank.bg.


This information applies to the processing of personal data of:
(a) persons who conclude a bank financing agreement and /or a contract for securing such an agreement (guarantee, pledge, mortgage), or who apply  for such a contract, incl. request for personalized and non-personalized offers;
(b) persons submitting a request for conclusion of an agreement other than the one under letter (a) or who apply for such a contract, incl. request for personalized and non-personalized offers;
(c) persons who conclude single performance contracts with the Bank, for example, contracts under which single payment services are provided;
(d) persons who submit a complaint/ request/ offer without being customers of the Bank;
(e) seller of real property - where the buyer of the property which will be used as collateral under the loan agreement receives financing;
(f) persons whose debts to another creditor are refinanced with a loan from the Bank;
(g) persons who submit a request for verification of liabilities for local taxes and charges
(h) representatives of the persons (natural and legal) under the above points;
(i) others.


2.1.1. DSK Bank processes the following personal data and categories of personal data of individuals referred to under p. 1.2. letters (c) to (g):
(a) names, identification number, date and place of birth, nationality, type, number and copy of identity document;
(b) contact details, for example: addresses, landline/mobile phone, e-mail;
(c) demographic data, for example:  gender, age, place of residence;
d) physical identity data - facial images, voice, handwriting. 
(e) data on the economic situation, for example, existence of credit obligations;
(f) tax and social security information, such as public payment obligations and place of employment.


2.1.2. In addition to the data under p. 2.1.2., in respect of clients of the Bank under p. 1.2. letters "a" and "b", the Bank also process the following data:
(a) location;
(b) data about place of employment, position/occupation; 
(c) student information, for example: educational institution, faculty number, professional field, specialty, course, full-time/ part-time education;
(d) data about used and rejected products/services of the Bank and of third parties - contractors of the Bank;


2.2. For the purposes of bank financing, as well as for direct marketing of products and services of the Bank, besides the data under p. 2.1.1. and 2.1.2., DSK Bank also processes the following personal data of individuals under p. 1.2. letters "a" and "b":  
(a) data on the economic situation which DSK Bank possesses in connection with previously used products and services of the Bank as well as data obtained from the NSSI, CCR, NRA information databases /only with the consent of the client for this purpose/, for example: income, owned property, indebtedness; existence of public payment obligations;
(b) civil status data available to DSK Bank in connection with used products and services of the Bank, for example: marital status, related parties.


2.3. In respect of the representatives of natural persons and corporate customers, the Bank processes the following data:
(a) name and identification number;
(b) date and place of birth, citizenship;
(c) identity document;
(d) contact details, for example: addresses, landline/mobile phone, e-mail;
e) location;
(f) data relating to place of employment, position/occupation;
(g) physical identity data - facial images, voice, handwriting.


2.4. DSK Bank processes the following personal data of the actual owners of a corporate customer: name, identification number, date and place of birth, citizenship, identity document, permanent address;


3.1. The personal data of natural persons is processed for the purposes of: 
(a) conclusion and execution of a contract with the Bank to which the individual is a party/representative of another person; execution of a contract under which the Bank or the natural person subrogates to the rights/succeeds in the rights and/or obligations another person, as well as for actions preceding and warranting the conclusion of a contract;
(b) exercise of legal rights and obligations of the Bank in connection with the conclusion and performance of the contracts under letter "a";
(c) realization of the rights and interests of the Bank which has justified advantage over the interests of natural persons, including performing of direct marketing trough research on proposed and/or used products and services, as well as offering by telephone, mail or other direct means products and services of the Bank for which it is assumed that the client could have expected offers, taking into account the Bank's products and services already used.
 (d) direct marketing of products and services of the Bank, except for the cases of letter. "C" as well as third party products and services, incl. subsidiaries of the Bank offered by it under a contract with these persons - only with the consent of the individual.;
(e) automatic exchange of financial information under Chapter XVI, Section IIIa of the Tax and Social Insurance Code, comprising of automated processing of personal data by applying the due diligence procedures under the Tax and Social Insurance Code.


3.2. In connection with the conclusion of a bank financing agreement and /or a contract for securing such an agreement (guarantee, pledge, mortgage), except for the purposes under p. 3.1., the personal data of natural persons is processed also for the purposes of:
(a) consideration of a request for financing, valuation of collateral, performance of a creditworthiness analysis which includes, among other checks, requesting and receiving data from official national registers, such as registers maintained by the NSSI, the CCR, the NRA , from databases of the Bank, etc., and other preparatory steps for the conclusion of a financing agreement and agreements for the establishment of collateral; 
(b) establishment and renewal of the collateral under the contract; 
(c) taking out and maintaining property insurance as required under the contract or if the Bank, at its own discretion, takes out insurance against the risk assumed.


3.3. The representatives data under p. 1.2., letter “h” is processed for the purposes of p. 3.1., letters “a”, ‘b” and “e”
The Bank processes the following personal data of natural persons referred to under p. 1.2., letters (e) to (i) for the for the realization of rights and interests of the Bank that have a justified advantage over the interests of natural persons, and in the cases of concluding a contract for bank financing and / or a contract for its collateral (guarantee, pledge, mortgage) on behalf of the represented person - and for the purposes of:
(a) consideration of a request for the use of funding and other preparatory actions for the conclusion of a financing contract and contracts for the establishment of collateral;
(b) the establishment and renewal of the collateral under the contract;
(c) the conclusion and maintenance of property insurance where required under the contract or when the Bank, at its own discretion, undertakes insurance of the risk assumed.


3.4. The Bank processes personal data to individuals under p. 1.2. letter "c" to "g" for the following purposes:
a) conclusion and performance of single performance contracts under which the natural person to whom the data relate is a party to or has concluded such a contract as a representative of another person, including for actions that preceded and warranted the conclusion of such a contract; 
(b) taking preparatory steps for the conclusion of a bank financing agreement for refinancing of credit obligations of the natural person whose personal data are being processed; 
(c) requesting and obtaining data from official national registers (e.g., the NRA register for public liabilities) relating to the owner of the real estate, for example, in the event of financing received by the buyer of the property where the property will also be a used as collateral under the loan agreement;
d) analysing issues raised in a complaint/ request/ proposal and preparing an answer;
e) execution of legal rights and obligations of the Bank.


3.5. The personal data of the actual owners of a corporate customer is processed for identification purposes and for the purposes of enforcement of anti-money laundering and terrorist financing measures in fulfillment of the Bank's legal obligations.


4. The processing of personal data shall be based on:
(a) a contract with the Bank or a third party through the Bank, to which the natural person is a party/representative of another person, including for actions that preceded and warranted the conclusion of such a contract and undertaken at the request of the person; or
(b) the consent of the natural person, or
(c) realization of rights and interests of the Bank which have justified advantage over the interests of natural persons, or
(e) execution of legal rights and obligations of the Bank.


5.1. The personal data of the individuals under p.1.2., letters "a" and "b" as well as data of representatives of natural and legal persons, collected and processed by the Bank, may be provided to the following categories of recipients of personal data::
(a) persons entrusted with the preparation, printing, assembling, delivery (including via SMS communications or electronically) of written correspondence and/or information materials of the Bank; 
(b) persons entrusted with bank card issuance;
(c) persons with whom the Bank has concluded a contract for joint development and servicing of products and/or provision of services;
(d) persons whose services the Bank uses in providing investment and additional services to clients;
(e) persons and institutions with which the Bank has concluded loan portfolio guarantee contracts and/or individual loan guarantee contracts;
(f) persons entrusted by virtue of a contract to assist the Bank in the management and collection of its receivables; 
(g) persons to whom the Bank proposes to sell its receivables;
(h) persons to whom the Bank has given notice of early repayment under loan agreements or other form of financing (e.g., notaries, private enforcement agents);  
(i) external contact centres;
(k) traders who are intermediaries in the provision of loans or other banking products and services by virtue of a contract concluded with the Bank;
(l) other companies from the group of DSK Bank (OTP Group) where it is required for the purposes of decision-making, administration and control in connection with the provision and execution of the services provided by the Bank, or these companies;
(m) persons to whom in connection with the processing for the purposes specified under p. 3 the Bank has entrusted the processing of personal data for organizational reasons other than those mentioned above, for example: development and maintenance of the Bank's systems; storage of data; control of access to the premises of the Bank, etc;
(n) bodies, institutions, regulated markets of which the Bank is a member – with regard to the realization and protection of the rights and interests of the Bank or as well as other persons to whom the Bank is required to provide personal data in accordance with a statutory requirement;
(o) payment organizations and systems serving cashless payments and transfers, including with payment instruments.
(p) insurers with whom the Bank has a contract and their partners for the purpose of concluding, maintaining and realizing property insurance, as well as persons to whom the Bank assigns a valuation of collateral.


5.2.1. The personal data of individuals under p. 1.2., letters (c) to (g) collected and processed by the Bank may be provided to the following categories of recipients of personal data:  
(a) bodies, institutions, regulated markets of which the Bank is a member – with regard to the realization and protection of the rights and interests of the Bank (e.g., conciliation commissions, courts) or as well as other persons to whom the Bank is required to provide personal data in accordance with a statutory requirement; 
(b) persons entrusted with the preparation, printing, assembling, delivery (including via SMS communication or electronically) of written correspondence;
(c) external contact centers;
(d) other companies from the group of DSK Bank (OTP Group) where it is required for the purposes of decision-making, administration and control in connection with the provision and execution of the services provided by the Bank, or these companies; 
(e) payment organizations and systems serving cashless payments and transfers, including with payment instruments.


5.2.2. Depending on the respective legal assumption, the personal data of natural persons under p. 1.2., letters (c) to (g) may be provided to DSK Bank by the data subjects themselves or through the following groups of third parties: 
(a) the personal data of individuals whose liabilities will be refinanced shall be obtained from the creditor through the borrower.
(b) the personal data of natural persons receiving funds in the Bank (e.g., from dividend payments, rent, indemnities, etc.) shall be obtained from the originator of the transfer with whom the Bank has contractual relations for the provision of services related to remittance of amounts payable to the recipient.


6. For the purposes of assessment of the possibility to use the Bank's products and services, the personal data of individuals may be subject to automated processing on the basis of which an automated decision shall be made. Automated processing is also a way of assessing the creditworthiness of individuals. It involves various checks, including checks at the official national registers as well as the Bank's databases which, on the basis of predefined criteria, result in a positive or negative decision on the use of a banking product or service. 
 
When an automated decision has been made, individuals have the right to express their opinion on the decision, to challenge the decision and to ask for human intervention in the decision-making process. 


7.1. The provision of personal data is voluntary where such data are necessary for the conclusion of a contract with the Bank. If the data is not provided, the Bank will not be able to provide a product or a service.  In the case of already established commercial or professional relations with the Bank, the provision of personal data may constitute a contractual or statutory requirement.  In such cases, failure to provide the required data may result in termination of the contract or the established commercial relationship.
The consequences of non-consent are specified in the document in which consent is given or are expressly mentioned by the Bank prior to the consent being given. 


7.2 The Bank does not consider anonymous complaints/ requests/ proposals.


8.1. Data subjects have the right of access, the right to request correction, deletion or limitation of the processing of their personal data processed by the Bank.


8.2. Data subjects have the right to receive the data from the Bank in the form and manner specified in the law and transfer them to another controller. Data subjects have the right to request the Bank to transfer directly their data to another controller where technically feasible.


8.3. Data subjects whose personal data are being processed may at any time object to the processing of their data when they are being processed on the basis of realization of rights and interests of the Bank that have a legitimate advantage over the interests of natural persons or for the purposes of direct marketing, and to withdraw the consents given by them in one of the following ways: 
1. By making a call to: 0700 10 375 
2. By sending an e-mail to:  call_center@dskbank.bg
3.  At each office of the Bank.


Withdrawal of consent does not affect the lawfulness of the processing of personal data prior to withdrawal.  
Despite withdrawal of consent, personal data may be processed by the Bank for other purposes if there is legal basis to process the data under p. 4 other than consent.

8.4. Natural persons may exercise their rights on the addresses and telephones for correspondence as referred to under p. 1 (Personal Data Protection Officer) and p. 8.3. after proper identification.


9. Natural persons may exercise their right of appeal to the Commission for Personal Data Protection, which is a data protection supervisory authority.


Personal Data Protection Commission:
Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., 
e-mail: kzld@cpdp.bg
website: www.cpdp.bg


10. DSK Bank stores collected personal data within the following time frames:
(a) where the data is processed on the basis of a request for use of a product/ service, for a maximum period of three months as of the date of submission of the request for conclusion of a contract, if the request is not approved;
(b) where the data is processed on the basis of a contract - for a period of 5 years as of the beginning of the calendar year following the year of termination of the relationship; transfer of receivable - 5 years after repayment of the claim to the transferee, but not earlier than 5 years after the final settlement of all legal proceedings related to it; 5 years from the beginning of the calendar year following the year of the termination of the relations between the Bank and the buyer of real estate - in the event of processing the data of a seller of a real estate;
(c) where the data is processed on the basis of consent, until withdrawal of the consent; 
(d) where the data are processed in connection with realization of rights and interests of the Bank which have a justified advantage over the interests of the natural persons - until the right is extinguished and/or the interest disappears;
(e) a period of 5 after the provision of the respective single service;
(f) a period of 3 years after the preparation of a reply to a complaint/ request/ proposal;
(h) a period of 5 years from the beginning of the calendar year following the year of termination of the relationship between the Bank and the person who has refinanced another party's credit obligation, in the case of processing the data of individuals whose credit obligations have been refinanced.


Once the deadlines have expired, if there is no other legal basis for processing of the data, it shall be deleted.  In order to obtain and analyze information related to the products and services used and to improve the service, the Bank may delete only part of the data.  In such a case, it shall continue to store a portion of the data that prevents natural persons from being subsequently identified.